File system changes

Purpose

This document outlines several methods to track changes to a website at the file or directory level; file system monitoring should be applied alongside regular file and database backups.

Goals

The goals of file system tracking include:

• Monitor changed and added files
• Log changes and additions
• Ability to revert granular changes
• Automated alerts

General approaches

Administrators can monitor file system via general technologies such as:

• System utilities
• Revision control
• OS/kernel level monitoring

Specific tools

Options for file system monitoring include:

• diff and drush make - build clean test copy of your site and compare against production
• Git - source code management
• inotify and incron - OS kernel level file monitoring service that can run commands on filesystem events
• Watcher, Python inotify library
• OSSEC - Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

Considerations

When configuring a file-based monitoring strategy, there are many considerations, including the following:

Run the monitoring script/service as root

This would make it hard for attackers to disable or modify your file system monitoring solution.

Disable monitoring during scheduled maintenance/upgrades

This would prevent unnecessary notifications when you are performing regular maintenance on the site.

Monitor only executable filetypes

It may be reasonably safe to monitor only executable file types, such as .php files, etc. Unnecessary log entries and alerts may be reduced through the use of specific filtering.

Use strict file system permissions

Read about securing file permissions and ownership. In general, avoid allowing execute and write permissions when possible.